Another way would be for you to create a new user (new uid and gid) and configure the apache configuration file to be writable by the new user/group. A small SUID script (executable only by the new user/group) could be used to send the Apache Daemon SIGHUP or to call "apachectl" to restart Apache to reload the configuration file.

Basically all you have to do is make sure the permissions on the Apache configuration files are such that they are readable by Apache itself, and writable by the user/group you've created, and no one else. To make the apache daemon reload it's configuration file, you need to run something like "apachectl restart" as root.
I strongly feel that you shouldn't make apachectl directly SUID, but instead to use a small intermediary script that has the SUID flag set. This is more secure as it will be small and simple, and can be configured to be run by only the specified user/group.

I agree with asad's suggestion. That'll probably be the most straightforward, and will probably be most secure. However, if the operator manages to screw up the httpd.conf and apache dies, he won't be able to start it up without root privileges. Putting /etc/init.d/httpd into the sudo permissions for that group will probably take care of that. It might be a good idea to look into running apache on port >1024 and using port forwarding into that port. That way, you can run the server as a non root user and delegate privileges as you see fit.

I agree with asad's suggestion. That'll probably be the most straightforward, and will probably be most secure. However, if the operator manages to screw up the httpd.conf and apache dies, he won't be able to start it up without root privileges. Putting /etc/init.d/httpd into the sudo permissions for that group will probably take care of that. It might be a good idea to look into running apache on port >1024 and using port forwarding into that port. That way, you can run the server as a non root user and delegate privileges as you see fit.

Running scripts that aren't written to be SUID is always a bad idea. Many authors don't bother writing secure code if they know the script will not be running as SUID which is why I show my distaste for SUDO and the like.

A better option would be to just create another tiny SUID script which executes "apachectl start" with the necessary options. Any sort of user-interaction with SUIDs should also be minimal, which is why I didn't suggest creating a direct wrapper for apachectl.

In this way, even if the operator "screws up", he can start/stop/restart apache using the pre-made streamlined SUID scripts without ever having to see root privileges directly.

Other then this, running Apache as a completely non-root user sounds like a pretty good idea

It is true that most modern kernels are configured to disallow execution of interpreted scripts. However, since the types of scripts I've mentioned are hardly one-line, you can use the following C program: